
Loading summary
Eric
This is an update on California's CCPA or CPRA laws.
Richard
Why should I bother about the ccpa? If you're doing business with any California residents, there are non compliance penalties. We're starting to see clients be affected by this. One of the other questions we get asked all the time is, does server side tracking help? No. In that, can you stack the odds in your favour? A little bit. Is Google Analytics compliant by default? No, it's not. So there are a number of steps that you need to take to make GA CCPA compliant. Will it affect your site? Yes, it will. You will have reduced tracking data and you'll probably see a little bit of a reduction in sales. We're going to be missing data. It's as simple as that.
Eric
You're spending real money to drive traffic to your site. But the truth is 98% of that traffic leaves without ever giving you an email. Meta knows who they are, but you don't. Unless you use Instant. Instant helps brands identify anonymous visitors so you can send more abandonment emails, build stronger retargeting audiences and actually recover that lost revenue. Brands like Fate, the label saw a 4.5x boost in their abandonment flows. Massco increased Shopify revenue by over 15%. Third Love, Toys R Us and the Oodie. These are all massive stores that use Instant to see an average ROI lift of 11.2x. They'll even guarantee you a 4x ROI or your money back. It only takes 15 minutes to set up and you'll start seeing results fast. If you're serious about getting more out of the traffic you're already paying for, now's the time to fix it. Get 50% off your first month at Instant One DTC. That's Instant O N E DTC. It's all killer, no filler. And today we are diving in with Pilothouse's technical manager returning to the podcast. Mr. Richard, welcome to DTC. How you doing?
Richard
Thanks, Eric. Yeah, I'm doing well. I can't complain.
Eric
Dougie suggested we bring you on to discuss something that's affecting a lot of people in the industry, affecting Pilot House clients already. And this is an update on California, California's CCPA or CPRA laws. And you say you've sort of prepared a bit of a presentation here. So if you want to kind of take it over, I guess you have slides, you can, you can do a screen share. People listening can either watch on Spotify or YouTube or just listen to Richard's dulcet tones. But yeah, I'll turn it over to you. And then can I ask questions as we go?
Richard
Yeah, totally. Yeah, totally, totally. And you know, while this is an area that I know quite a bit about, you know, in preparing the presentation, I wanted to make sure that I'm not putting anybody completely in, in the wrong direction. And I think it is worth saying right, right at the start here, Eric, you know, I'm not a lawyer. You know, if you've got any concerns about any of this at all, you know, please, please get proper legal representation and advice.
Eric
All right. Disclaimer.
Richard
Disclaimer. So I thought I'd start off by having a look at what is, what is the CCPA. And you mentioned there some other acronyms. The CPRA. So the CCPA 2020 is the California Consumer Privacy Act. This gave people, residents of California, the right to know what personal information is collected about them, why it's being collected, and any third parties with whom their data is being shared. It also allowed them at that time to request deletion of their data and opt out of the sale of their personal information. So that was kind of step one in 2020. And then in 2023 they enacted the California Privacy Rights act, the CPRA. And that gave additional protections, including the right to correct inaccurate information and the creation of the California Privacy Protection Agency, which is also CPRA, but not the act. It's the agency to enforce the law. So they don't operate, you know, in lieu of each other, that they work together. It's a ccpa. And then the CPRA sort of sits on top of, sits on top of that. So, so then I thought, okay, so you know, let's get people's attention here. What, why should I bother about the, the ccpa? And the reason is because if you're doing, doing business with any California residents, then there are, there are non compliance penalties, which is as you alluded to at the top of the podcast, Eric, we're starting to see clients be affected by this. So there's a number of different ways that you can get penalized. So first of all, there's civil penalties. So that's if you have an unintentional violation, an intentional violation potentially, and then if you have repeated violations. So this is where people can basically, you know, go to, go to the law, to the Attorney General, I guess it ends up at, and they can impose various penalties. So it's up to two and a half thousand for an unintentional per violation, seven and a half thousand if it's intentional. And then if they start racking up, then they'll Keep ramping, keep ramping it up. If you have multiple violations. So that's, those are civil kind of civil lawsuits.
Eric
And that could be per email, per person, per email address. So that can.
Richard
Yes per visit. You know, you know, if you're, if there's data flying off to Facebook and Google and wherever else, then yeah, everyone knows that could be a violation. So, so that's the first one. The second one are these consumer lawsuits, the private right of action. So this is where if there's a data breach, so if a CCPA violation results in a data breach due to an addiction security consumers can sue for damages. Now the limit of that is up to 750 per person per incident or the actual damages, whichever is greater. So if I don't know something happens and some data gets leaked and it gets used and they lose more than $750 then they're, they're entitled to get thousand dollars or 2,000 or $5,000, whatever, whatever happened as a result of the data breach. And then it is possible for class action lawsuit filed. So that really could potentially expose businesses to a lot of liability. So that's the second one. Then there's injunctions and other remedies. So an injunction, a court can issue an injunction, just say no, you got to stop until you get compliant. And yeah, this other one, declaratory relief to clarify legal obligations. So I mean these things really can ramped up and then finally the agency which was came out of the CCPRA act in 2023 so this is where they can basically they've got enhanced enforcement powers and they eliminated the 30 day cure period. So there used to be a, you know you've got 30 days to fix it and then you're okay. But they eliminated that. But that still might be granted at the discretion of the, of the agency. They can actually, if they get involved they can actually impose higher fines and, and increase enforcement. So so there's four different ways there that can get hammered.
Eric
It's got teeth stops just short of putting you in the public stocks, have people throw tomatoes at you pretty much. And it stacks. It sounds like it could really stack as well.
Richard
Absolutely.
Eric
It's not mutually exclusive.
Richard
No. So yeah. So you know it's some pretty significant stuff and we are starting to see some of our clients get, get sued under the, the private right of, of action on some of these civil penalties as well. So definitely something people want to want to pay attention to. In California the CCPA does have a threshold and it's a pretty high Threshold. So if your business meets any of the following, if you're doing business in California, so you can be located anywhere at all, but if you're doing business in California, if you've got a gross annual revenue of over US$25 million, second one is if you buy, sell or share the personal information of 100,000 or more California residents or households, or if you derive 50% or more of your annual revenue from selling California residents personal information. Now, their definition of, I'm not sure where I put it, but their definition of selling is pretty broad. If you're getting any kind of business benefit, then that's considered selling. So it's not me, you know, selling you, you know, a load of email addresses necessarily that obviously would be part of it, but in sharing and giving information to Google Analytics or the Facebook pixel or TikTok or wherever, it could.
Eric
Also be interpreted as buying, I think for a lot of our listeners as well, because you're buying, you know, the, the sales through Meta in a way which are giving you all these email addresses. I don't know.
Richard
Yeah, I mean, you know, but you're.
Eric
Saying this applies even though it doesn't say this applies to e commerce sellers.
Richard
Yeah, yes, absolutely. You know, it's not just people who are, you know, in the business of data brokers. Yeah, data brokers. Yeah, absolutely. It's not, it's not just those people. It's, it's, it's, it's, it. This is e commerce businesses. You're, you're going to be part of that.
Eric
Okay, so there's a threshold, but so those listening who are under $25 million can take a small sigh of relief. But probably you never know when they're gonna march this up and, and, and have it apply to more people. So it probably behooves you to pay attention and get, get right as much as you can.
Richard
Absolutely, absolutely. And you know, interestingly, and I, and I'll come to in a second, there's different legislation for different states. So this obviously is California's Privacy act, but there are other Privacy act and I'll just touch on one or two of those in a minute just to kind of clarify what some of the other ones have done. But I'm not going to go through all of the states that have enacted Privacy Act. You know, it really is obviously up to the businesses to do their homework and get their lawyers involved and figure out kind of what, what you need to do. But you know, ultimately it's all heading that, that direction. And of course if anybody's doing business in, in Europe and the GDPR applies to them, then that's even more onerous than, than the CPA ccpa. So yeah, yeah, it's all heading that direction. So I think ultimately even though it's only, it's not all of the US states right now, I think that's, it's going to get there and yeah, so I think everybody's going to have to have to stick adhere to it. I mentioned before about the, the civil, the civil suits. So people can only sue under the CCCPA if personal information is, is stolen. Is, you know, let's say stolen, it gets lost will generously say and it has to be first name or initial and last name in combination with any of the following. So the Social Security number, driver's license number, tax id, passport number, military ID or other, some other unique government issued identification, your financial account number, credit card number, debit card number and any required security codes, PINs, etc. Medical or health insurance or your fingerprint iris image, whatever, some other unique biometric data that could, could identify a particular person, not including photographs, unless they're being used or stored for facial recognition purposes. So, so those are the only times that people can actually sue under the ccpa. So even if you're not, you know, if you're not, if you're not compliant, then the cpa, the agency or one of the other routes could, you could get in trouble for that. But the people, individual people can't sue you just because you know, you've got a Facebook pixel on your site and you didn't tell somebody about it.
Eric
But your credit card number is still happening in this transaction. So you still technically could be sued if you're passing the credit card number.
Richard
Only if that, you know, if they get hacked, you know, if the company gets hacked and that credit card information gets out into the wild, then that's the problem here, that, that's where this, the condition would, would apply. So not just for, not just for storing it. If you're storing it and you didn't tell them, as long as you don't lose it or it gets hacked, then you can't get, you can't get sued. Okay so just to continue that just a little bit, the PI, the personal information must have been stolen in non encrypted and non redacted form. So if it's encrypted and that's fine, I'm going to say fine. I mean, I don't mean obviously that data getting stolen is fine. It's not. But just in the terms of what we're talking about here, it has to be non encrypted or non redacted. It must be stolen. In a data breach, a result of the business's failure to maintain reasonable security procedures and practices, they can sue for the amount of the monetary damages suffered or statutory damages up to $750 per incident, which you know, isn't, isn't too bad. Before suing, you must give the business written notice of which CCPA sections it violated and allow 30 days for them to respond. And if the business is able to actually cure, fix the violation and give you its written statement that it has done so, you can't sue the business unless it continues to violate contrary to its statement. So fair bit of protection there for businesses that are doing the right thing, trying to do the right thing. You know, you'd have to, you'd have to be pretty negligent I think, to end up being sued under the ccpa.
Eric
Yeah, you'd have to ignore a lot of warning signs.
Richard
You certainly would. You certainly would. So one of the biggest questions we get asked is does the CCPA apply to non California businesses? And yes it does. So if, if you're doing business with California residents, it doesn't matter where you're located. That's the criteria. It's just getting personal information from California residents. So absolutely it applies to non CA businesses. And are there any other states doing privacy stuff? Absolutely. Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah and Virginia are the ones currently and there's two or three others in the process. So these ones have all enacted some kind of privacy act. There's two or three others who are going through legislation to enact privacy acts. And you know, we're just looking very specifically at the, at the California act here today. But each one of them are slightly different. And just to give you a flavor of that, the Virginia Consumer Data Protection act, the vctpa, their threshold is slightly different from California. So they've got two thresholds. Either one if you, if you meet. So if you're controller processing the personal data of at least 100,000 Virginia located consumers during the calendar year or control or process the personal data of at least 25,000 Virginia customers and you derive over 50% of its revenue from the sale of personal data. So that really is aimed at the data folks. But you'd need to have a pretty big E comm business to be having at least 100,000 Virginia customers, I would imagine. But those Are there? So there's their thresholds. And the other one I pulled out was the Colorado Privacy act, the CPA. They were similar to Virginia, 100,000 or more Colorado residents and derive revenue or receive discounts from the sale of 25,000 or more Colorado residents, which was slightly different. They didn't have the 50% of the gross revenue. They just said any revenue or discounts on goods and services from the sale of personal data of 25,000 or more. So yeah, so that was just a couple of other ones that I pulled out just to give people an example of how other states are doing it. Again, you know, get your lawyers involved, go and have a look at what each of these states are doing. I mean it would be rare for, you know, any one of our E Com clients to not be doing business in pretty much all of the U.S. so you know, I think this is going to apply to almost all of them. And of course once you start enacting it to be compliant with California, you know, are you going to show somebody in Colorado a, you know, a different version of your website and you know, somebody in a non data protection act state, you know something else again, I don't think so. You know, you're going to want to just employ another, you know, across the board solution. But I thought it was worth mentioning mentioning that anyway. So how do we make a store CCPA compliant? So there's three steps. So the first thing you've got to do is you've got to add a privacy that complies with the right to know. And this is where you know, most of them are going to be very similar in terms of what needs to be in this privacy policy. But it's basically saying, you know, here's what we do with your data. You know, if you say yes to the analytics section, you know, then we use Google Analytics or whatever it might be and that's how we use your data in that instance. And we use a Facebook pixel and here's how that's used. So you've got to detail how they're their data is being used. You've got to allow customers access to their data. So they've got to be able to see what it is that they've kind of, you know, signed up to or not. And you've got to allow customers to opt out of the sale. And I say the sale is very much anything that's business transactional, analytics, pixels, all that sort of stuff. So they've got to be able to say, yeah, no thanks, I don't I don't want to be, I don't want to be in this. So those are the three steps to actually making a store an E commerce store, CCPA planned.
Eric
How do you let your customers know their data? Is that like in their customer profile there you needed to add a tab that's like data and it's like, here's the data we have on you.
Richard
Yes. So I was going to come to that because, yeah, I mean essentially you somehow need to say, okay, you know, here's your data, Eric or Richard or whoever it might be. So the best way certainly if you've got a Shopify store, would be to use one of the compliance extensions and Consent Mode and Pandecties are the two best well known on Shopify. There's another one which kind of works with Shopify as well as a number of other platforms called Secure Privacy. There are a few others, but certainly for Shopify, Consent Mode, pendect, these are the ones I've seen the most of. And what these compliance extensions do is that they, they do everything so literally, you know, they'll do the banner that comes up or whatever it is, you know, and says, hey, you know, we, we use your data. Are you in, are you out? Or here's your. What options do you want to have a look at? They also then will allow customers to access their data via the extension and then they can also opt out at any point. So the full compliance extensions like Consent Mobinecties, Secure Privacy, they handle it all. There are other banner kind of extensions, but they're not doing it all. You know, the banner ones will just come up and say, hey, you know, we use third party cookies, you know, do you want to do you consent for functional use, essential use, functional use, analytics. And then the fourth one's usually targeting advertising, but that's all that they do then, you know. So if to be compliant you've got to give people access to the data, you know, the banner extensions don't do that. And if somebody wants to opt out, then they also don't do that either. Other than going back again and the software not realizing that they've already opted in and given them the opportunity to opt out, which is obviously problematic. So be careful. If you're trying to be fully compliant, look at the one of the full compliance extensions like Consent Modeectes and or something like Secure Privacy. Now one of the other questions we get asked all the time is does server side tracking help? No, in that server side tracking doesn't bypass your need to comply You've still got to comply. The server side tracking platforms like Elevar and I've talked about Elevar on this podcast in the past and they do work with compliance apps, extensions. So Elevar, for example, they work with Pandectes, OneTrust, Consent, Mo, Cookiebot, PI, User Centrics, TrueVault. I think that's an exhaustive list as we speak, you know, so if you've got one of these other platforms, then, you know, something like Elevar will work with those. Now what it doesn't do, you know, it's bypass. You know, just because your server side tracking doesn't mean. Okay, I'll, you know, I'll track them using, you know, first party. It's, it's totally fine. I'm not using cookies. No, you can't do that. If somebody says I'm out whenever they go to the Banner, you literally, you can't track them. You can't use their data. No ifs, no buts, you know, if you're being compliant, you can't track them. You're not allowed to track them.
Eric
That's so tough. But they see the ad in the wild. They don't really know have a way of knowing whether they were retargeted or just targeted.
Richard
No. But yeah, you know, when they come to your site. My site, yeah. They're entitled to, they're entitled to find that out if you're being compliant. So it's a real, it's a real pain. And I have to say I'm sort of going off, off script a little bit here. I, I think it's, I think it's way, way overkill. I mean, you know, these websites, a lot of them are providing, you know, services, they're providing products, you know, that, that people want, they've got to make money in. And I think, I think it's gone too far the way of.
Eric
Or too broad. The brush has been too broad. If we're talking about data brokers, spammers. Yeah, you know, 100 things like that. They should, yeah, but, but, but they should have had some more provisions in this to shield legitimate businesses who are collecting data at large scale due to them wanting to, they're, you know, wanting the products that they're selling.
Richard
Exactly, exactly. And you know, if you're online and you're, you know, you want to buy the product or find out some information, then, you know, that's fine. I mean, did people expect to get a newspaper for free before the Internet existed? No, of course not. You paid, you expected to pay for the newspaper because there was a lot of stuff went on and behind it. Why is this any different? And this is my, just my personal opinion that you're hearing here, But I.
Eric
Asked ChatGPT for a, you know, an outline of the things that, that E commerce advertisers would need to know. The first one is that you're liable even if you're not based in California. This is just if you make any sales or what you mentioned. I think that's great. The other, the thing that I mentioned here is that performance marketing tools often can trigger compliance requirements just because when you're going with pixels across all these different platforms, relying on a lot of growth across meta TikTok Klaviyo, you're, you're sort of just like inherently in these woods the way that it's written.
Richard
Absolutely. 100% you are. 100% you are. And say I think this is where it's gone, it's gone too far. Because if it's all, you know, anonymized, you know, and it's grouped up, you know, so that any particular audience has to be at least, you know, 100 people, thousand people, whatever, you know, then you can't individually identify somebody to target them that they're just part of. They're just part of buckets. And would I rather get, get ads that I'm interested in? Absolutely. You know, I don't want ads for stuff that I'm not, not interested in. So it's, you know, in my opinion and they say this is my personal opinion. I think, I think this is all a little bit, a little bit overkill.
Eric
But, but it's happening, it's legal enforcement is happening, it's happening to clients. But like I, I know we obviously can't give too much information there, but can you paint that picture a little bit about, about what went wrong there?
Richard
I don't know the details. So I'll, I, you know, I'll, I'll maybe try and find out. Maybe we can do a little follow up or something. But, but yeah, they're getting, they're getting sued by, I think it's individuals. So for that to happen there has to have been a data breach. You know, they have to have their data has to come out from that company into the wild. And I'm not sure that that's actually what happened. So it could, it could be maybe somebody just having a bit of a phishing exercise.
Eric
And that's the big problem is whenever you get these broad rules, you get all the People in there, I forget what their term is for that kind of law. Yes, but people that will just exploit, you know, this kind of situation to.
Richard
To make money 100% and you know, the US is, you know, it's particularly litigious and frivolous.
Eric
Yeah, exactly.
Richard
Yeah. So it feels like it's a bit of a, you know, a bit of a field day out there. So yeah, I'll actually give you some, some data. I've just got a couple more slides here just on could the impact of that implementing you know, kind of full compliance kind of has very quickly. I just want to say that the, you know, can you stack the odds in your favor a little bit? If you're, if you're going after gdpr then no, it's totally opt in, you know, so all of those boxes have to be cleared. Nothing has to be, you know, can be pre ticked. People have to tick every one of those boxes to opt into, you know, say essential functional targeting, etc. Etc. With the CCPA so far at least it can be opt out. So you can have all of those boxes ticked and just say yeah, I can send to all. So it's an opt out model currently in the ccpa. So that's, you know, so that's something at least, you know, you're not making people, you know, check four boxes before they can actually get in. They can just, just click one and, and off they go. So that's something that you can, that you can do. Is Google Analytics compliant by default? No, it's not, unfortunately. So there are a number of steps that you need to take to make GA CPA compliant. Again it's the policy make sure you're not storing things like user IDs in GA. Enable IP anonymization. That's just a very quick update with the, with the code you disable data sharing. Now that's a little bit of a pain because that's all your remarketing stuff. You add your cookie consent banner and then if somebody access, wants access to their data, there is a way actually within GA that you can, that you can do that. But that's literally just ga. I'm not talking about, you know, Google Ads, I'm not talking about Facebook, TikTok, anything, anything else that's just, that's just GA there Canada, just because we're Canadian. There is a thing called pipeda which is very similar to CCPA and pretty much the rules and regulations are the same except there are no thresholds. It does apply to all E Comm. Businesses. It's not really being enforced in Canada. However, the CCPA has been talked about for quite some time. It would be very similar to the gdpr, so literally it would be much more strict. It hasn't gone through yet, but they're talking about it in Canada. So officially to be a client in Canada you are supposed to have consent banners and all that, all that good stuff like the ccpa.
Eric
And so you've said consent banners a few times. So consent banners are literally just, they're, they're horizontal things that go across your site or like where are the banners specifically? They're in the checkout process.
Richard
No, as soon as you come onto the site. Because if you do, if you don't give, ask people for consent as soon as they hit your site, then you're.
Eric
Not, it's too late.
Richard
Yeah, so, so as soon as they hit your site, I'm sure you've come across them. They use these sort of banners at the bottom. But you can actually, I think consent mode and pandecties, I think you can kind of say, well actually could you do it like a pop up or could you do it like. I think there's two or three ways that you can do it on these compliance platforms, but most people will know from the bottom.
Eric
Yeah.
Richard
And it says, hey, you know, do you agree? Type thing. And there's three or four boxes that you can, that you can check. Just to finish off Eric, I thought, you know, how can all this affect your E commerce site? Say you, you know, you want to be above the law, you want to be compliant. What impact might this have? Will it affect your site? Yes, it will. You will have reduced tracking data and you'll probably see a little bit of a reduction in sales. Although I think when everybody becomes compliant then it'll have less of an impact because people will just be used to it and it'll just be one of the standard things that happens every time you go to a, a website. You know, if you haven't already given your compliance and the cookie's not there, then it'll say, you know, are you compliant? Sorry, are you, are you in or are you out? And I think people will eventually get, get used to that. Will it do away with the missing data? No, I mean, you know, we're going to be missing data, it's as simple as that. But GA and various platforms have been modeling for, for years, so we'll just have to get better at modeling and modeling and just finally to finish. I wanted to give a very recent client Example, one of those clients that was getting sued, potentially sued, they went ahead and implemented one of the compliance platforms and what they saw was a 28% reduction in conversions coming through on Google Ads. They saw a 58% reduction in overall sessions coming through on Google Analytics. However, they only saw a 4% reduction in actual purchases. So lots of data missing. But the overall impact on their business was, you know, nobody wants to see your business go down, but it wasn't as, as big as, you know, the missing. Obviously the missing data might have, it's.
Eric
A great shout indicated.
Richard
So I don't think that's on atypical. I think that's going to be similar to whatever anybody's going to see if they're implementing some of these consent platforms.
Eric
What percentage of customers are going to manage their data, I wonder. Right.
Richard
Like I would imagine I don't have that, but I'd. IMAG is very small. I, I could care less about.
Eric
Yeah.
Richard
You know, about my, my data. In fact, in fact, typically when I go onto one of those sites, I go functional, yes. Advertise, no. Targeting, no. And analytics. Yes. And I'll, you know, because obviously part of the industry and I know what it's like if you're missing analytics data and stuff, so.
Eric
Oh, that's nice of you.
Richard
Yeah, I'm a decent sort, you know, that's good. But that's typically what I'll do, I'll do. So.
Eric
Yeah, yeah, so get on it. Get, get compliant out there, folks, if you're under that 25 million threshold.
Richard
Yeah. Because you could really end up in trouble and, you know, and have no business and be sued for millions. So we don't want that to happen to anybody. And, and it is, it is fairly, fairly straightforward. The downside is the lack of data, but I think that's coming anyway, you know, whether it's via one of these privacy acts or whatever. It's, it's, it's, it's going to happen. So we'll all just be top of Funnel advertising in due course, Eric. And yeah, you know, there will be.
Eric
No remarketing, there will be no just newsletter advertising.
Richard
It'll just be top of Funnel.
Eric
Everything is top of funnel. I like that. Like the industry needed another big hurdle to get over and help me. So I understand these tools and the, the banner that'll pop up for all new people coming on. How do you get compliant with all the data you may be storing for your existing customers and customer base?
Richard
So, yeah, so you've basically got to get it all in. Now, some of those compliance platforms, they'll import what they can. You've just got to try and kind of catch up with whatever you can. And if you are storing any kind of personally identifiable information, pii, get it into one of those compliance platforms or get rid of it. Because if that goes out into the wild, that's really when you get into, into big trouble. So if you've got any kind of Social Security numbers, credit card numbers, bank account numbers, anything like that at all.
Eric
Geolocation was one that kind of surprised me in your presentation there, just because I feel like every ESP keeps track of people's IP addresses or their approximate geolocation.
Richard
Anyway, yeah, an IP address is considered pii and you know, and a Mac address would be a pii, a user id. If you're, you know, say you're using it in GA or something to, to track users, that's pii, and that's one of the things you'd have to get rid of for, for GA to be compliant. So.
Eric
Yeah, and so you need them if they accept it. Now, if I've, if I've been a customer for a long time at a brand, but I go to their web and I haven't, and they haven't implemented any of this stuff, and then one day they implement it and I go on there and I say, accept all. Accept all, Accept all. Does it like retroactively, like, you know, make it okay? You're not a lawyer.
Richard
I know, but that's a good question. And I'm not a lawyer. I would imagine. I would imagine. Yes, it does. You know, because they, it's you, you know, whether, yeah. Whether you gave your info a year ago or. True. Yeah, you know, it's your, it's, it's your data. No, it doesn't, it never excuses a breach. You know, if you're, if you're a PII gets out into the wild because of a breach, that never gets, that's never excused. But if you're then, you know, unhappy because Facebook show you an ad about, you know, something you visited on their site, then, then no, you can't, you can't do anything. You wouldn't be able to go back, I guess, if you could prove that you're being targeted before you gave your consent.
Eric
Totally.
Richard
But I'm not seeing many of those kind of, kind of lawsuits. Certainly not in Canada yet anyway, so.
Eric
Nice. Well, another podcast of hyper relevant necessary information. Are there any, any other further points you wanted to highlight here?
Richard
No, I don't think So I think, you know, I think everybody's, you know, going to have to do this at some point. Obviously the bigger businesses, 25 mil in California particularly. But yeah, I think just get on it and get it done because yeah, you just don't want anything to, you know, to happen to your business. But you know, the downside is the lack of, you know, the lack of data. And we're always complaining about the lack of data before this. You know, this is only going to get, get worse. But you know, maybe the sooner you embrace it, the sooner you'll find ways and means of overcoming it.
Eric
So I don't, I have a sci fi hunch that I talk about on this podcast all the time that we're going to get to more of an era where we have our data profiles that are a bigger part of like who we are and what we recognize. We'll have to, you know, UBI in the future will be tied to these digital profiles and, and we'll be, and we'll have AIs that like help manage all of our personal data. So we won't have, because we, we don't really care, you know, about so much of them, but we'll have AIs that like, that we give settings to and then it will allow, and we'll find more and more ways where we're intermediating in the world between, between our AIs and we'll monetize, we'll actually monetize our data better. Like everyone will be an influencer. Like literally when that system kind of comes into place.
Richard
Absolutely. And you know, it makes, it makes sense if, you know, if I always, if I'm always happy to be, you know, everything except, you know, targeting or whatever it is or I'm totally happy to be everything then, you know, why, why do I need to just keep doing that on every site that I go to if AI can knows me and then I go to any site and it just preemptively just goes, yeah, Richard, he's good, he's good to go on all of this and whatever, whatever it might be. So I hope that's where it ends up.
Eric
Yeah. Well if you want to talk to a semi pro about this, you should email Richard at Pilothouse. And again, he's not a lawyer, but he's researched it probably more than most. But anyways, have a look at it for your organization, make sure you're compliant. Maybe I'll put the notes from this presentation in the show notes so that if anyone wants to go deep on the options kind of laid out there. We'll make that available for everyone. Thanks for coming on today, Richard.
Richard
This is good. You're very welcome. Good to see Eric.
Eric
Thanks for listening to today's episode. If you're not getting the D2C newsletter, you can subscribe for free at directtoconsumer Co. And if you want to learn more about Pilothouse's all killer no filler services, take off to Pilothouse Co. I'm Eric Dick and this has been the DTC podcast. We'll see you next time.
DTC Podcast - Episode 518: CCPA/CPRA Explained - What Every Ecommerce Tech Manager Must Know | AKNF
Release Date: June 20, 2025
In Episode 518 of the DTC Podcast, hosted by the DTC Newsletter and Podcast team, Eric Dick engages in an in-depth discussion with Richard, the Technical Manager at Pilothouse, about California's Consumer Privacy Act (CCPA) and the subsequent California Privacy Rights Act (CPRA). This episode serves as a crucial guide for ecommerce businesses navigating the complexities of data privacy laws, particularly those operating or engaging with customers in California.
[00:00 - 02:30]
Richard begins by clarifying the distinctions between CCPA and CPRA:
CCPA (2020): Grants California residents rights to know what personal information is collected, the purpose behind its collection, and the third parties with whom it is shared. It also allows them to request data deletion and opt-out of the sale of their personal information.
CPRA (2023): Enhances CCPA by adding rights to correct inaccurate information and establishing the California Privacy Protection Agency to enforce the law.
Notable Quote:
"The CCPA 2020 is the California Consumer Privacy Act. This gave people, residents of California, the right to know what personal information is collected about them..." — Richard [02:56]
[02:30 - 07:18]
Richard emphasizes the necessity for businesses to comply with CCPA/CPRA, especially if they engage with California residents. Non-compliance can lead to significant penalties:
Civil Penalties: Up to $2,500 per unintentional violation and $7,500 per intentional violation, with fines escalating for repeated offenses.
Consumer Lawsuits: Individuals can sue for damages up to $750 per incident or the actual damages suffered, whichever is greater.
Injunctions and Other Remedies: Courts can issue orders to halt non-compliant practices until issues are resolved.
Notable Quotes:
"If you're doing business with any California residents, there are non-compliance penalties." — Richard [00:05]
"You'll have reduced tracking data and you'll probably see a little bit of a reduction in sales." — Richard [00:51]
[07:18 - 09:32]
CCPA applies to businesses meeting any of the following criteria:
Notable Quote:
"If you're doing business with any California residents, it doesn't matter where you're located." — Richard [09:16]
[09:32 - 13:28]
Richard outlines that several other states have enacted or are in the process of enacting privacy laws similar to CCPA/CPRA, including Virginia, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and others. Each state has unique thresholds and requirements, underscoring the need for businesses to stay informed and compliant across multiple jurisdictions.
Notable Quote:
"It's all heading that direction... I think everybody's going to have to adhere to it." — Richard [09:32]
[13:47 - 21:15]
Richard outlines a three-step process for ecommerce stores to become CCPA compliant:
Update Privacy Policy: Clearly detail data collection, usage, and sharing practices.
Provide Customer Access to Data: Implement mechanisms allowing customers to view their personal data stored by the business.
Enable Opt-Out Options: Allow customers to opt out of the sale or sharing of their personal information.
Tools and Extensions:
Notable Quotes:
"If you want to be above the law, you want to be compliant." — Richard [30:25]
"Consent banners... need to be presented as soon as users hit your site." — Richard [27:16]
[21:15 - 30:51]
Implementing compliance measures affects ecommerce operations:
Reduced Tracking Data: Businesses may experience a decrease in analytics and remarketing capabilities.
Potential Sales Reduction: Some businesses reported significant drops in conversions and overall sessions; however, actual purchase reductions might be minimal.
Data Management: Existing customer data must be imported into compliance platforms or securely deleted to prevent breaches.
Case Study: A recent client faced a 28% reduction in Google Ads conversions and a 58% decrease in overall sessions after implementing compliance measures, but only a 4% drop in actual purchases.
Notable Quotes:
"You will have reduced tracking data and you'll probably see a little bit of a reduction in sales." — Richard [00:51]
"They saw a 28% reduction in conversions coming through on Google Ads." — Richard [29:33]
[30:51 - 35:46]
Both hosts express concerns over the breadth and enforcement of CCPA/CPRA:
Overreach: The regulations may be too broad, affecting legitimate businesses that rely on data for operations and growth.
Litigation Risks: The U.S. legal landscape is highly litigious, with potential for frivolous lawsuits exploiting the laws.
Richard shares his personal stance, feeling that while data privacy is essential, the current implementation may hinder business growth and data-driven marketing strategies.
Notable Quotes:
"I think it's gone too far the way of." — Richard [21:53]
"The US is particularly litigious and frivolous." — Richard [24:31]
[35:46 - End]
Looking ahead, Eric speculates on a future where AI manages personal data profiles, offering users more control and monetization opportunities. Richard agrees, envisioning a system where AI intermediates consent across platforms, simplifying the user experience while maintaining data privacy.
Notable Quotes:
"We're going to have our data profiles that are a bigger part of who we are and what we recognize." — Eric [34:11]
"AI can knows me and then I go to any site and it just preemptively just goes, yeah, Richard, he's good to go." — Richard [35:20]
The episode underscores the critical importance of understanding and complying with data privacy laws like CCPA and CPRA for ecommerce businesses. While compliance may pose challenges, including reduced data and potential sales impacts, it is essential to mitigate legal risks and build customer trust. Utilizing specialized tools and staying informed about evolving privacy regulations across different states will be pivotal for businesses aiming to thrive in a privacy-conscious market.
Final Thoughts:
"But you just have to ... make sure you're compliant." — Eric [35:46]
Resources Mentioned:
Compliance Extensions for Shopify:
Server-Side Tracking Platforms:
Compliance Apps:
For more detailed insights and assistance with compliance, listeners are encouraged to reach out to Richard at Pilothouse or visit directtoconsumer.co.
This summary captures the essential discussions and insights from Episode 518 of the DTC Podcast, providing a comprehensive overview for listeners and those interested in ecommerce data privacy.